Overlay Transport Virtualization

Transcription

1

2 Overlay Transport Virtualization Brian Farnham Technical Marketing Engineer Nexus 7000

3 Overlay Transport Virtualization Simplifying Data Center Interconnect Any Workload Anytime Anywhere 4

4 Session Objectives The main goals of this session are: This session features a detailed analysis of the architectural aspects and deployment benefits behind The attendees will learn how is aimed at providing Layer 2 connectivity beyond the Layer 3 boundary while maintaining the failure containment and operational simplicity that the Layer 3 boundary provides The attendees will get a deep knowledge of how the control-plane and data-plane work to provide the VLAN extension 5

5 Session Non-objectives This session does not include: In depth discussion of Path Optimization technologies (DNS, LISP, etc.) Storage extension considerations associated to DCI deployments Workload mobility application specific deployment considerations 6

6 Related Cisco Live Events Session-ID BRKDCT-2131 BRKDCT-3060 BRKDCT-2081 BRKDCT-3103 Session Name Mobility and Virtualization in the Data Center with LISP and Deployment Considerations with Interconnecting Data Centers Cisco FabricPath Technology and Design Advanced Configure, Verify and Troubleshoot 7

7 Agenda Distributed Data Centers: Goals and Challenges Architecture Principles Design Considerations & New Features 8

8 Distributed Data Centers Goals Ensure business continuity Distributed applications Seamless workload mobility Maximize compute resources 9

9 Data Center Interconnect Traditional Layer 2 Extensions EoMPLS VSS & vpc or FabricPath Ethernet Applies easily for dual site interconnection Over dark fiber or protected D-WDM Easy crypto using end-to-end 802.1AE IP MPLS VPLS Overlay Transport Virtualization MAC in IP Dark Fiber EoMPLS & VPLS & A-VPLS & H-VPLS PE style Multi-tenants Most deployed today 10

10 Challenges in Traditional Layer 2 VPNs Flooding Behavior Pseudo-wire Maintenance Multi-Homing - Unknown Unicast for MAC propagation - Unicast Flooding reaches all sites - Full mesh of Pseudo-wire is complex - Head-End replication is a common problem - Requires additional Protocols & extends STP - Malfunctions impacts multiple sites 11

11 Technology Pillars

12 No Pseudo-Wire State Maintenance Optimal Multicast Replication Dynamic Encapsulation Multipoint Connectivity Point-to-Cloud Model 13

13 Preserve Failure Boundary Built-in Loop Prevention Protocol Learning Automated Multi-Homing Site Independence 14

14 Overlay Transport Virtualization Simplifying Data Center Interconnect Any Workload Anytime Anywhere Nexus 7000 First platform to support (since 5.0 NXOS Release) ASR 1000 Now also supporting (since 3.5 XE Release) 15

15 Agenda Distributed Data Centers: Goals and Challenges Architecture Principles Control Plane and Data Plane Failure Isolation Multi-homing L2 Multicast Forwarding QoS and Scalability Path Optimization Design Considerations & New Features 16

16 Terminology Devices and Interfaces Edge Device Performs all functionality Usually located at the Aggregation Layer or at the Core Layer Support for multiple Edge Devices (multi-homing) in the same site Internal Interface Site facing Interfaces of the Edge Devices Carry VLANs extended through Regular Layer 2 interfaces No configuration required Supports IPv4 & IPv6 Edge Device Internal Interfaces Edge Device Core Device Aggregation Device Internal Interface Join Interface Overlay Interface 17

17 Terminology Devices and Interfaces Join Interface One of the uplink of the Edge Device Point-to-point routed interface (physical interface, sub-interface or port-channel supported) Used to physically join the Overlay network No specific configuration required IPv4 only Overlay Interface Virtual interface with most of the configuration Logical multi-access multicast-capable interface Encapsulates Layer 2 frames in IP unicast or multicast Overlay Interface Edge Device Join Interface Core Device Aggregation Device Internal Interface Join Interface Overlay Interface 18

18 Control Plane Building the MAC Tables No unknown unicast flooding (selective unicast flooding in 6.2) Control Plane Learning with proactive MAC advertisement Background process with no specific configuration IS-IS used between Edge Devices MAC Addresses Advertisements West IP A IP B East IP C South 19

19 Control Plane Neighbor Discovery and Adjacency Formation Before any MAC address can be advertised the Edge Devices must: Discover each other Build a neighbor relationship with each other Neighbor Relationship built over a transport infrastructure: Multicast-enabled (all shipping releases) Unicast-only (from NX-OS release 5.2 & IOS-XE 3.9) 20

20 Control Plane Neighbor Discovery (over Multicast Transport) Multicast-enable Transport Control Plane Control Plane West IP A IP B East Mechanism Edge Devices (EDs) join an multicast group in the transport, as they were hosts (no PIM on EDs) hellos and updates are encapsulated in the multicast group End Result Adjacencies are maintained over the multicast group A single update reaches all neighbors 21

21 Control Plane (Multicast Transport) 3 Neighbor IP Addr Neighbor West IP Addr IP A Hello Control Plane 7 Hello Control Plane 4 Hello IP A G West IP A Multicast-enabled Transport IGMP Join G IP B Hello IP A G Hello East 6 Encap IGMP Join G Decap 1 All edge devices join control-group G Hello Hello IP A G IP A G 5 Transport natively replicates multicast to all OIFs 2 Multicast state for group G established throughout transport 6 Decap IGMP Join G IP C Hello IP A G Control Plane 7 Hello South Neighbor IP Addr West IP A 22

22 Control Plane (Multicast Transport) Hello 5 Control Plane Neighbor South IP Addr IP C Bidirectional adjacency formed Neighbor West South 5 IP Addr IP A IP C Hello Control Plane Hello West IP C G Decap IP A Multicast-enabled Transport IP B Hello 4 4 Decap East IP C G Hello Hello IP C G IP C G 3 The South Site creates its hello with West s address in the TLV 2 Encap Hello IP C IP C G Control Plane 1 Hello South Neighbor IP Addr West IP A 23

23 Control Plane Craft 2 update with new MACs MAC Advertisements (over Multicast Transport) Update A VLAN MAC IF 100 MAC A IP A 100 MAC B IP A 100 MAC C IP A Update A 6 Update A IP A G MAC Table VLAN MAC IF 100 MAC A e1/ MAC B e1/ MAC C e1/1 West 3 Encap Multicast-enabled Transport Update A Update A IP A G IP A G 4 5 Update A Decap East IP A G MAC Table VLAN MAC IF 100 MAC A IP A 101 MAC B IP A 102 MAC C IP A 1 New MACs learned in VLANs that are extended 5 Decap Add MACs learned through 7 Update A IP A G 6 VLAN MAC IF 100 MAC A IP A 100 MAC B IP A 100 MAC C IP A Update A South MAC Table VLAN MAC IF 100 MAC A IP A MAC B IP A MAC C Cisco IP Public A 7 Add MACs learned through 24

24 Multicast Transport Control and Data Plane over Multicast Transport Use a High-Available Multicast Rendez-Vous Point (RP) configuration PIM Anycast (RFC4610) or MSDP (Multicast Source Discovery Protocol) Requirements to Control Plane PIM Any-Source-Multicast (ASM) Sparse- Mode Requirements to Data Plane PIM Source-Specific-Multicast (SSM) or BiDir Example: Multicast for on Nexus 7000 feature pim! interface loopback 0 ip pim spare-mode ip address /32! interface loopback 1 ip pim sparse-mode ip address n1-x/32! ip pim rp-address group-list ip pim anycast-rp n1 ip pim anycast-rp n2 ip pim ssm range /24! interface port-channel1 # This Interface peers with the Join Interface ip igmp version3 * n in the last Octet reflects a unique IP address per Router joining the PIM Anycast Group 25

25 Control Plane Neighbor Discovery (Unicast-only Transport) Ideal for connecting a small number of sites With a higher number of sites a multicast transport is the best choice Control Plane Unicast-only Transport Control Plane Release 5.2 and above West IP A IP B East Mechanism Edge Devices (EDs) register with an Adjacency Server ED EDs receive a full list of Neighbors (onl) from the AS hellos and updates are encapsulated in IP and unicast to each neighbor End Result Neighbor Discovery is automated by the Adjacency Server All signaling must be replicated for each neighbor Data traffic must also be replicated at the head-end 26

26 Control Plane CLI Verification Establishment of control plane adjacencies between Edge Devices (multicast or unicast transport): dc1-agg-7k1# show otv adjacency Overlay Adjacency database Overlay-Interface Overlay100 : Hostname System-ID Dest Addr Up Time Adj-State dc2-agg-7k1 001b.54c2.efc :08:53 UP dc1-agg-7k2 001b.54c2.e1c :43:27 UP dc2-agg-7k2 001b.54c2.e :49:11 UP Unicast MAC reachability information: dc1-agg-7k1# show otv route Unicast MAC Routing Table For Overlay100 VLAN MAC-Address Metric Uptime Owner Next-hop(s) c07.ac01 1 3d15h site Ethernet1/ d70e 1 3d15h site Ethernet1/ f3.88ff 42 2d22h overlay dc2-agg-7k f d22h overlay dc2-agg-7k2 Local Site MAC Remote Site MAC 27

27 Data Plane Inter-Site Packet Flow 2 Layer 2 Looku p MAC TABLE VLAN MAC IF 100 MAC 1 Eth 2 Transport Infrastructure 100 MAC 2 Eth 1 Encap 100 MAC 2 IP A MAC 1 MAC MAC 1 MAC MAC 1 MAC 3 IP A IP B 100 MAC 3 IP B IP A IP B MAC 3 Eth MAC 4 IP B IP A 3 4 Decap 5 IP B MAC TABLE VLAN MAC IF 100 MAC 1 IP A 100 MAC 4 Eth 4 6 Layer 2 Looku p MAC 1 MAC 3 1 West East Server 1 Site Site Server 3 7 MAC 1 MAC 3 28

28 Data Plane Encapsulation 42 Bytes overhead to the packet IP MTU size (IPv4 packet) Outer IP + Shim - Original L2 Header (w/out the.1q header) 802.1Q header is removed and the VLAN field copied over to the shim header Outer shim header contains VLAN, overlay number, etc. Consider Jumbo MTU Sizing 802.1Q header removed Q DMA C SMA C Q Ether Type DMAC * The 4 Bytes of.1q header have already been removed SMAC Ether Type 6B 6B 2B 20B 8B IP Header Shim 20B + 8B + 14B* = 42 Bytes of total overhead L2 Header 14B* Payloa d Original L2 Frame CRC 4B 29

29 Agenda Distributed Data Centers: Goals and Challenges Architecture Principles Control Plane and Data Plane Failure Isolation Multi-homing L2 Multicast Forwarding QoS and Scalability Path Optimization Design Considerations & New Features 30

30 Spanning-Tree and Site Independence Site transparency: no changes to the STP topology Total isolation of the STP domain Default behavior: no configuration is required BPDUs sent and received ONLY on Internal Interfaces The BPDUs stop here L L 3 2 The BPDUs stop here 31

31 Unknown Unicast and No Longer Unknown Unicast Storms Across the DCI MAC TABLE VLAN MAC IF 100 MAC 1 Eth1 No requirements to forward unknown unicast frames Assumption: end-host are not silent or uni-directional Default behavior: no configuration is required L L MAC 2 IP B No MAC 3 in the MAC Table MAC 1 MAC 3 32

32 Unknown Unicast and Selective Unicast Flooding New Release 6.2 Some Application requirement to forward unknown unicast frames Selective Unicast Flooding can be enabled per mac address Default behavior: no unknown unicast forwarding Unknown Unicast MAC State IF Enable Flooding for MAC Blk Overlay Blk Overlay Fwd Overlay1 L L 3 2 -a # conf Enter configuration commands, one per line. End with CNTL/Z -a(config)# otv flood mac vlan 172 MAC 1 MAC 3 VLAN 100 MAC 6 MAC 7 VLAN

33 Controlling ARP Traffic ARP Neighbor-Discovery (ND) Cache ARP cache maintained in Edge Device by snooping ARP replies First ARP request is broadcasted to all sites. Subsequent ARP requests are replied by local Edge Device Timeout can be adjusted (as per NX-OS 6.1(1)) Drastic reduction of ARP traffic on DCI ARP spoofing can be disabled IPv4 only feature Default behavior: no configuration is required New: Release 6.1 -a(config)# interface overlay 1 -a(config-if-overlay)# no otv surpress-arp-nd # Allows ARP requests over an overlay network and disables ARP caching on edge devices. This command does not support IPv6. -a(config)# interface overlay 1 -a(config-if-overlay)# otv arp-nd timeout 70 # Configures the time, in seconds, that an entry remains in the ARP-ND cache. The time is in seconds varying from 60 to The default timeout value is 480 seconds. 34

34 Agenda Distributed Data Centers: Goals and Challenges Architecture Principles Control Plane and Data Plane Failure Isolation Multi-homing L2 Multicast Forwarding QoS and Scalability Path Optimization Design Considerations & New Features 35

35 Multi-homing Fully Automated Multi-homing No additional protocols required (i.e. BGP) site-vlan used to discover neighbor in the same site Authoritative Edge Device (AED) Election takes place Extended VLANs are split across the AEDs The AED is responsible for: AED Site Adjacency L L 3 2 AED MAC address advertisement for its VLANs Forwarding its VLANs traffic inside and outside the site Site Adjacency used for AED election 36

36 Hardened Multi-homing Introducing Site-identifier Same site devices must use common site-identifier Site-id information is included in the control plane Makes multi-homing more robust and resilient Site Adjacency and Overlay Adjacency are now both leveraged for AED election An overlay will not come up until a site-id is configured Site and Overlay Adjacency are both leveraged for AED election AED Overlay Adjacency Site Adjacency L L 3 2 Release 5.2 and above AED feature otv otv site-identifier 0x1 otv site-vlan 99 37

37 Multi-homing VLANs Split across AEDs Automated and deterministic algorithm In a dual-homed site: Lower IS-IS System-ID (Ordinal 0) = EVEN VLANs Higher IS-IS System-ID (Ordinal 1) = ODD VLANs Remote Device MAC Table VLAN MAC IF 100 MAC 1 IP A 101 MAC 2 IP B -a# show otv vlan Extended VLANs and Edge Device State Information (* - AED) VLAN Auth. Edge Device Vlan State Overlay East-b inactive(non AED) Overlay * East-a active Overlay East-b inactive(non AED) Overlay100 -b# show otv vlan Extended VLANs and Edge Device State Information (* - AED) VLAN Auth. Edge Device Vlan State Overlay * East-b active Overlay East-a inactive(non AED) Overlay * East-b active Overlay100 AED ODD VLANs IP A Overlay Adjacency Site Adjacency -a -b IP B AED EVEN VLANs 38

38 Multi-homing AED and Broadcast Handling 1. Broadcast reaches all the Edge Devices within the site 2. Only the AED forwards the traffic to the Overlay 3. All the Edge Devices at the other sites receive the broadcast 4. At the remote sites only the AEDs forward it into the site Broadcast stops here Broadcast stops here Bcast pkt Core AED AED 39

39 Agenda Distributed Data Centers: Goals and Challenges Architecture Principles Control Plane and Data Plane Failure Isolation Multi-homing Mobility L2 Multicast Forwarding QoS and Scalability Path Optimization Design Considerations & New Features 40

40 and MAC Mobility MAC Moving and Updates (1) 1. Workload moved between Data Center sites VM Moves MAC X MAC X MAC X ESX MAC X Core MAC X ESX MAC X AED AED 41

41 and MAC Mobility MAC Moving and Updates (2) 1. Workload moved between Data Center sites 2. Workload is detected in East DC and control plane is triggered 2.3) AED advertises MAC X with a metric of zero MAC X MAC X MAC X MAC X MAC X ESX MAC X Core MAC X ESX MAC X MAC X MAC X MAC X AED 2.4) EDs in site West see MAC X advertisement with a better metric from site East and change them to remote MAC address. AED 2.2) AED detects MAC X is now local 2.1) Server originates a Gratuitous ARP (GARP) frame 42

42 and MAC Mobility MAC Moving and Updates (3) 1. Workload moved between Data Center sites 2. Workload is detected in East DC and control plane is triggered 3. East to West data plane traffic allows to update the MAC tables of the L2 devices in West Site 3.2) AED in site West forwards the GARP into the site and the L2 switches update their CAM tables MAC X MAC X MAC X MAC X ESX MAC X MAC X Core MAC X MAC X ESX AED 3.1) AED in site East forwards the GARP broadcast frame across the overlay AED Note: GARP is used as example traffic, same behavior is achieved with any other L2 broadcast frames exchanged 43

43 Agenda Distributed Data Centers: Goals and Challenges Architecture Principles Control Plane and Data Plane Failure Isolation Multi-homing L2 Multicast Forwarding QoS and Scalability Path Optimization Design Considerations & New Features 44

44 L2 Multicast Traffic between Sites Multicast Enabled Transport can leverage the multicast support available in the transport network to optimize the delivery of the multicast traffic for the VLANs stretched across sites Three steps: 1. Automated mapping of the sites multicast groups to a range of multicast groups in the transport network 2. Creation of the Multicast state information at the Edge Devices 3. Sites Multicast traffic delivered over the Overlay 45

45 1) The Mcast source starts sending traffic to the group Gs1 L2 Multicast with Multicast Transport Step 1 Mapping of the Site Multicast Group The site multicast groups are mapped to a SSM group range in the core Each (S1,Gs1) maps to a different SSM group in round-robin fashion 1 S1 Gs1 S1 S2 Gs2 S2 4 Mcast Stream Mcast Group Mapping Site Group West Gs1 Gs2 2 4) Same process happens once source S2 is enabled (sending to a different group Gs2) Core Group Gd1 Gd2 Mapping to a Delivery Group IP A 2) The West ED maps (S1,Gs1) to a delivery group Gd1 3) The West ED communicates the mapping information (including the source VLAN) to the other EDs The Mapping is communicated to the other EDs 3 IP C Multicast-enabled Transport South IP B East 46

46 L2 Multicast with Multicast Transport Step 2 Multicast State Creation Group S1 Gs1 S1 OIF-List Gs1 Gd1 West IF Overlay 4) The source ED adds the Overlay interface to the Outbound Interfaces (OIF) 4 Receive GM-Update Update OIL IP A SSM Tree for Gd1 5) The SSM tree for Gd1 (rooted at the source ED) is built in the core) IP C 3.1) ED Announces the receivers in a Group- Membership Update (GM- Update) to all other EDs Multicast-enabled Transport South GM-Update IGMPv3 report to join (IP A, Gd1), the SSM group in the Core. 2 IP B 3.2) ED Sends an IGMPv3 report to join the (IP A, Gd1) SSM group in the core 2) The ED snoops the IGMP join (without forwarding it) Client IGMP snoop 1 Client IGMP report to join Gs1 East 1) A receiver in the East site sends an IGMP join for Gs1 Receiver (for Gs1) It is important to clarify that the edge devices join the core multicast groups as hosts, not as routers! 47

47 L2 Multicast with Multicast Transport Step 3 Multicast Packet Flow 1 Looku p S1 Gs1 S1 Group West OIF-List Gs1 Gd1 IF Overlay s1 Gs1 IP A Gd1 IP A 2 Encap IP C S1 Gs1 Multicast-enabled 3 Transport Transport IP A Gd1 Decap 4 South 5 Replication S1 Gs1 Receiver (for Gs1) S1 Gs1 IP B 4 IP A Gd1 Decap 5 East S1 Gs1 Receiver (for Gs1) 48

48 L2 Multicast with Multicast Transport Multicast Groups in the Core can leverage the benefits of a multicast-enabled transport for both control and data planes. The following summarizes the requirements for a multicast transport: Control group Single PIM-SM or PIM-Bidir group used to form adjacencies and exchange MAC reachability information Data groups Range of SSM groups used to carry multicast data traffic generated by the sites interface Overlay100 otv join-interface e1/1 otv control-group otv data-group /24 otv extend-vlan The right number of SSM groups to be used depends on a tradeoff between the amount of multicast state to be maintained in the core and the optimization of Layer 2 multicast traffic delivery 49

49 Agenda Distributed Data Centers: Goals and Challenges Architecture Principles Control Plane and Data Plane Failure Isolation Multi-homing L2 Multicast Forwarding QoS and Scalability Path Optimization Design Considerations & New Features 50

50 QoS and Marking on Encapsulation On Encapsulation CoS bits (802.1p) copied to the shim header If IP traffic: The original (inner) DSCP value is also copied to outer DSCP Release 5.2 and above DMAC SMAC 802.1Q ETHERTYPE IP (optional) Q West CoS 802.1p IP A Inner DSCP IP (optional) Original Frame Outer DSCP shim IP B East 2 Encap 51

51 QoS and Marking on De-capsulation On De-capsulation CoS value is recovered from the shim and added to the 802.1Q header Original CoS and DSCP are both preserved Control Traffic is statically marked at CoS = 6/DSCP = 48 Release 5.2 and above Decap 1 West IP A IP (optional) Original Frame Outer DSCP shim IP B 2 East 802.1Q DMAC SMAC 802.1Q ETHERTYPE IP (optional) CoS 802.1p Inner DSCP 52

52 Scalability Current and Future Supported Values Release NX-OS 6.2 8* 32k 4000 NX-OS 5.2 6* k 2000 * two ED per Site Sites extended VLANs MAC addresses across all the extended VLANs Multicast Data Groups 53

53 Agenda Distributed Data Centers: Goals and Challenges Architecture Principles Control Plane and Data Plane Failure Isolation Multi-homing L2 Multicast Forwarding QoS and Scalability Path Optimization Design Considerations & New Features 54

54 Path Optimization Egress Routing Optimization Hot Potato Routing 55

55 Path Optimization Egress Routing with LAN Extension Extended VLANs typically have associated HSRP groups By default, only one HSRP router elected active, with all servers pointing to HSRP VIP as default gateway Result: sub-optimal routing Routing HSRP Hellos ARP reply Packet from ARP Vlan for 10 to Vlan 20 HSRP DMAC VIP = DGW HSRP Active HSRP Standby HSRP Listen HSRP Listen Packet from Vlan 10 to Vlan 20 DMAC = Host Vlan 20 VLAN 20 VLAN 10 56

56 Egress Routing Localization FHRP Filtering Solution Filter FHRP with combination of VACL and MAC route filter Result: Still have one HSRP group with one VIP, but now have active router at each site for optimal first-hop routing HSRP Active HSRP Hellos HSRP Standby HSRP Filter HSRP Active Listen HSRP Hellos HSRP Standby Listen ARP for HSRP VIP ARP reply VLAN 20 VLAN 10 57

57 Path Optimization Optimal Routing Challenges Layer 2 extensions represent a challenge for optimal routing Challenging placement of gateway and advertisement of routing prefix/subnet WAN Ingress: North-South / Client-Server Ingress: North-South / Client-Server HSRP Active HSRP Standby HSRP Filter HSRP Active HSRP Standby Egress: South-North / Server-Client East-West / Server-Server Egress: South-North / Server-Client 58

58 Path Optimization Is it relevant to my Data Center model? Logical Data Center or Physical Data Center? High Availability or Disaster Recovery? Ingress: North-South / Client-Server WAN Ingress: North-South / Client-Server Egress: South-North / Server-Client Is this ONE Logical Data Center? Or do I have TWO (High Availability) separated Data Physical & Logical Center? East-West / Server-Server Egress: South-North / Server-Client 59

59 Specific Use-Case IPv6 and IPv6 Unicast Forwarding and Multicast Flooding supported across - Requires to disable optimized multicast forwarding (OMF) in IGMP snooping on ED IPv6 Transport Network (Join Interface & Source Interface, not yet supported) Release 5.2 and above DC West vpc/vpc+ Domain DC Edge Device (VDC) East Global (all VLAN): no ip igmp snooping optimise-multicast-flood Per VLAN with IPv6 Traffic vlan vlan-id vlan configuration no ip igmp snooping optimise-multicast-flood 60

60 Ingress Routing Localization Possible Solutions Challenge Subnets are spread across locations Subnet information in the routing tables is not specific enough Routing doesn t know if a server has moved between locations Traffic may be sent to the location where the application is not available Options DNS Based Route Injection LISP Locator/ID Separation Protocol For more details on LISP and Deployment see: BRKDCT

61 Overlay Transport Virtualization Simplifying Data Center Interconnect Any Workload Anytime Anywhere 62

62 Agenda Distributed Data Centers: Goals and Challenges Architecture Principles Design Considerations & New Features 63

63 Support ASR1000 has been introduced in IOS XE 3.5 (Nov 2011) To use on ASR1000, you require: Advance Enterprise Image or Advance IP Service + feature license ASR1k <-> N7k Inter-Site Interoperability has been tested No ASR1k <-> N7k Multihoming Support (Intra-Site Interoperability) on ASR1000 Use Cases are: Legacy Deployments where DC may still be Catalyst based New Small Data Center and/or Disaster Recovery Sites where Main DC is equipped with Nexus 7000 with Layer-3 Encryption where MACSec is no option for Inter-DC Encryption 64

64 Support ASR 1000 New Features for IOS-XE 3.9 Adjacency Server (unicast) with LISP ESM RPVST STP Support New Features for IOS-XE 3.10 Portchannel for join interface VRF Aware Subinterface for join interface Layer 2 portchannel 65

65 Specific Use-Case Transparent Firewall and extended Inside & Outside VLANs Transparent/Bridged Firewall is separating extended VLANs is sharing the same MAC address per Edge-Device VLAN Inside FW VLAN DC Outside West FW VLAN Outside FW DC East VLAN Inside FW 66

66 Specific Use-Case Transparent Firewall and extended Inside & Outside VLANs is sending PIM hellos with source of destination Hello is sourced from Edge Device (VDC) MAC Address Firewall MAC Table MAC VLAN Zone ED 100 Inside ED 150 Outside VLAN 150 Outside Firewall DC West VLAN 100 Inside Firewall PIM Hellos sourced from (ED MAC Address) on VLAN 150 PIM Hellos sourced from (ED MAC Address) on VLAN

67 compared to FabricPath Is FabricPath a valid Solution to replace is purpose build for Data Center Interconnects Cisco Validated Designs (CVDs) Specific Data Center Interconnect features On Data Center Interconnect, FabricPath is NOT so Plug and Play No specific DCI functions Designs gotchas but do not impact all customers Multidestination Trees capacity planning is key FabricPath can be a valid Data Center Interconnect solution when: Short distances between Data Centers Multicast is not massively used If you know and accept where your Traffic Flows (Multidestination Trees) 68

68 compared to FabricPath Yes, but Data Center Interconnect is NOT LAN Switching Customer s constraints/needs are unique Scoping is based on Application Involved Number of DC sites, meshing, distances, bandwidth requirements Customer Perception Traffic Flows (Unicast, Multicast & Flooding) Operations Simplicity Failure Isolation Transport Failure Detection 3+ Sites Optimization High Availability L2 Functions L3 Unicast Functions Multicast Functions FabricPath Stacking VSS vpc Scalability 69

69 Internal Interface New Feature for in NX-OS 6.2 Nexus 7000 Hardware Support F3 Support for in 6.2(6) Enable on Nexus 7700 Series No Tunnel Depolarization or VLAN Translation in 6.2(6) on F3 Join-Interface M1 M2 F3 M1 M2 F1 F2e F3 M1, F1, F2e F1 and F2e support for internal Interface F1 and F2e linecards have the ability to be internal interfaces VDC Join Interface Internal Interface (CE) M-Series interface F/M-Series interface Routed Uplinks to Core Aggregation VDC (M-only, M1-F1 or F2/F2e) New Release 6.2 Interfaces to Access (Classic-Ethernet or FabricPath) L3 L 2 70

70 New Features for Tunnel Depolarization & Secondary IP Secondary IP command introduced Configured within interface, not interface Introduction of multiple IPs results in tunnel depolarization VDC Release 6.2(6) -a (config-if)# sh otv -a(config-if)# ip address /24 secondary Disabling IP Redirects on port-channel11 :secondary address Overlay Information configured. Site Identifier a(config-if)# sh run int po11 Overlay interface Overlay1!Command: show running-config interface port-channel11!time: Wed Mar 27 23:05: VPN name : Overlay1 VPN state : UP version 6.2(2) Extended vlans : (Total:182) Control group : interface port-channel11 Data group range(s) : /24 no ip redirects Broadcast group : ip address /24 Join interface(s) : Po11 ( ) ip address /24 secondary Secondary IP Addresses: : ip ospf network point-to-point Site vlan : 1 (up) ip router ospf 1 area AED-Capable : Yes1 ip igmp version 3 Capability : Multicast-Reachable 71

71 New Features for VLAN Translation: Translation through transit VLAN When a different VLAN is used at multiple sites Usually for 3 or more sites Release 6.2 VLAN 400 VLAN 200 VLAN 100 DC West DC East 72

72 New Features for VLAN Translation: Translation through transit VLAN Release 6.2 -a(config)# int overlay1 -a(config-if-overlay)# otv vlan mapping 100 to 400 -a(config-if-overlay)# sh run int overlay1!command: show running-config interface Overlay1!Time: Fri Mar 29 19:01: version 6.2(2) interface Overlay1 otv isis hello-multiplier 9 otv join-interface port-channel11 otv control-group otv data-group /24 otv extend-vlan 25-50, otv vlan mapping 100 to 400 no shutdown -a(config-if-overlay)# sh otv vlan-mapping Original VLAN -> Translated VLAN > 400 -B(config)# int overlay1 -B(config-if-overlay)# otv vlan mapping 200 to 400 -B(config-if-overlay)# sh run int overlay1!command: show running-config interface Overlay1!Time: Fri Mar 29 19:02: version 6.2(2) interface Overlay1 otv isis hello-multiplier 9 otv join-interface port-channel21 otv control-group otv data-group /24 otv extend-vlan 25-50, otv vlan mapping 200 to 400 no shutdown -B(config-if-overlay)# sh otv vlan-mapping Original VLAN -> Translated VLAN >

73 Convergence Small and Large Scale Targets (Extreme Failures) New Release 6.2 Large Scale Small Scale <30sec <10sec < 10sec <3sec 74

74 Challenges in Traditional Layer 2 VPNs Solved by Flooding Behavior Pseudo-wire Maintenance Multi-Homing - Unknown Control-Plane Unicast Based for MAC Learning propagation - Unicast Flooding reaches all sites - Full Dynamic mesh Encapsulation of Pseudo-wire is complex - Head-End replication is a common problem - Requires Native additional Automated Protocols Multi-Homing & extends STP - Malfunctions impacts multiple sites 75

75 Agenda Distributed Data Centers: Goals and Challenges Architecture Principles Control Plane and Data Plane Failure Isolation Multi-homing L2 Multicast Forwarding QoS and Scalability Path Optimization Design Considerations & New Features 76

76 Overlay Transport Virtualization Simplifying Data Center Interconnect Any Workload Anytime Anywhere 77

77 Where can help YOU simplify Data Center Interconnects?

78 Complete Your Online Session Evaluation Complete your online session evaluation Complete four session evaluations and the overall conference evaluation to receive your Cisco Live T-shirt 79

79

80 Call to Action Visit the Cisco Campus at the World of Solutions to experience the following demos/solutions in action: Data Center booth area, VXLAN Demo Get hands-on experience with the following Walk-in Labs Nexus 7000 Virtualization Lab, LISP Hands-On Lab, Implementing VXLAN in the Datacenter Meet the Engineer Brian Farnham, Victor Moreno, Lukas Krattiger, Andy Gossett, Ron Fuller Discuss your project s challenges at the Technical Solutions Clinics Attend one of the Lunch Time Table Topics, held in the main Catering Hall Recommended Reading: For reading material and further resources for this session, please visit CL365 -Visit us online after the event for updated PDFs and on-demand session videos. 81